The end of Safe Harbor….what’s next?

On October 6, 2015, the Court of Justice of the European Union (“CJEU”) – the European Union’s highest court – struck down the 15-year old Safe Harbor Agreement that allows companies to transfer personal data about EU citizens from European Union countries to servers in the United States, and replaced it with Privacy Shield. The information routinely transferred between the EU and the US included items like people’s web search histories and social media updates on platforms like Facebook or Instagram. The full text of the decision can be found here:

http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

As background information, EU law prohibits the transfer of personal information outside the EU, unless the receiving country provides an adequate level of privacy protection.  The European Commission determined that the US doesn’t offer the required level of protection.  In order to address that issue, the EU and the US entered into the Safe Harbor Agreement in 2000, allowing American companies to self-certify that they provide protections that are equivalent to the requirements of the EU’s Data Protection Directive.  At the time of the decision, approximately 5,000 companies relied on the Safe Harbor Agreement to transfer personal data from the EU to the US.

In 2013, Edward Snowden leaked information that the NSA was running a vast surveillance operation covering data about Europeans and other foreign citizens, data stored by American companies operating in the EU.

Privacy campaigner Max Schrems asked the Irish Data Protection Commission (the “Commission”) to audit what material Facebook might be passing on.

However, the Commission declined, noting that the data transfer was covered by the Safe Harbor Agreement.

When Schrems contested the decision, the matter was referred to CJEU. As indicated above, CJEU reversed the decision by the Commission; the basis for that reversal was the CJEU’s conclusion that the Safe Harbor Agreement should be struck down. 

Following the October 6, 2015, decision, the European Commission said it would issue “clear guidance” in the coming weeks to prevent local data authorities issuing conflicting rulings. The decision by the CJEU does not order an immediate end to those personal-data transfers. It rules that national regulators have the right to investigate and suspend them if they don’t provide sufficient protections, creating new legal risks for companies.

Meanwhile, U.S. and European regulators are negotiating an updated Safe Harbor Agreement, but the timetable is unclear.

Many large technology companies, including Alphabet, Amazon, Facebook and Microsoft advised they already have set up backup legal mechanisms in a bid to avoid clashes with regulators. One option for the US companies operating in Europe would be to expand the size of their data center in the EU.

Additionally, EU law provides for other ways to transfer personal data legally. Among them are so-called model contracts, which use language published by European officials. Another option would require companies to appeal to individual national regulators in Europe, a lengthy process.

Lastly, as of July 12, 2016, Privacy Shield as been enacted and approved for EU-US data transfer.  There are some similarities and a few differences that we will discuss in a future post.